Snort mailing list archives
RE: Clueless in Toronto
From: "Rich Stryker" <rstryker () virtuallearning net>
Date: Thu, 19 Dec 2002 12:50:11 -0500
Is there any reason that you can think of as to why my SNORT, when set to log to a binary file, would die after a few seconds or a minute or two? And why the binary file that is created can't be read by SNORT afterwards like the SNORT document says it can? Thanks, Rich -----Original Message----- From: Joel Healy [mailto:Joel.Healy () amphenderson co nz] Sent: Wednesday, December 18, 2002 2:48 PM To: Rich Stryker Subject: RE: [Snort-users] Clueless in Toronto Hi Rich, Ok... When you run snort you will need to tell it where it's configuration file is unless you have it in the default location and i don't know where that is on a W2K box. Have a read what command line options (check out http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.1) you can pass to it as it sounds like you are using the -l command to create packets logs which is in affect creating the IP address subfolders, but for a fairly vanilla installation you could run it as "snort -c C:\mypath\snort.conf", your snort.conf should be where your rules are. So the next step is to edit your snort.conf file (check out http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5) and configure one of the output plugins.. for example for your alert.ids file.. output alert_fast: alert.ids A best practise configurtion is to configure snort to use the unified output plugin output alert_unified: snort.alert which writes out the alerts in a binary format that is much quicker than any of the other plugins.. then use barnyard to read the file and output the alert.. it can output in any of ways snort can. That allows snort (or hogwash) to keep up with quite high traffic throughput. anyway hope that helps. cheers joel -----Original Message----- From: Rich Stryker [mailto:rstryker () virtuallearning net] Sent: Thursday, December 19, 2002 7:43 AM To: SnortUsers (E-mail) Subject: RE: [Snort-users] Clueless in Toronto Great Thanks Keith! Got it. I understand now why that is. Switches will broadcast only once until they know which port to send traffic out of. This would mean I would miss just about everything except for the broadcasts and multicasts. Whereas a hub is in constant broadcast mode since it shouldn't have the ability to have a MAC table...right? Assuming I am correct can you or anyone else now help me with SNORTSNARF? When I followed the instructions from Silicon Defense, for installing SNORT on a W2K machine with IIS, SNORT created an alert.ids file. I setup SNORT to run as a service but I didn't get anything, no logs etc. When SNORT runs from the command line it doesn't write to the alert.ids but creates sub folders for every IP address it finds, which I have read to mean that is the default setting. Any suggestions on how I can get the logs to be put into the alert.ids and thereby allowing me to get SNORTSNARF to work? -----Original Message----- From: Knight, Ric [mailto:RKnight () TUC ca] Sent: Wednesday, December 18, 2002 1:28 PM To: Rich Stryker Subject: RE: [Snort-users] Clueless in Toronto Importance: Low Rich, If you only have dumb switches, then get a hub. Force all traffic you want to monitor through the hub. You only need one interface on the SNORT box to monitor traffic. If you want to use switches, you need to enable port spanning so that one switch port receives att the traffic on the switch and then plug snort into that port. Crude text diagram... Snort || \/ Router <----> Hub <-------> firewall =-=-=-=-=-=-=-=-=-=- Ric Knight Network Engineer TransUnion Canada 170 Jackson St. E. Hamilton Ontario, L8N 1L4 (905) 525-9013 x6212 -----Original Message----- From: Rich Stryker [mailto:rstryker () virtuallearning net] Sent: December 18, 2002 11:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Clueless in Toronto Hi, I have installed SNORT 1.8x on a W2K Server. No service packs as yet because i am just testing the waters with it. There are 2 NICs. I can seem to figure out how to implement it now that it is running. I figure I will put it behind my firewall. But how do i force traffic to go through one NIC on the server and out through the other? Do i even need to do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing but it only tracked the local computer's traffic and nothing else. I have SNORTSNARF installed to see the reports but when I seem to have SNORT running I can't find the log files. I want SNORT setup for NIDS. All help is greatly appreciated. Thanks, Rich ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users (This e-mail message and any accompanying attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please delete the message and, if convenient, inform the sender as soon as possible.) ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Clueless in Toronto Rich Stryker (Dec 18)
- <Possible follow-ups>
- RE: Clueless in Toronto Rich Stryker (Dec 18)
- RE: Clueless in Toronto Rich Stryker (Dec 19)
- RE: Clueless in Toronto Rich Stryker (Dec 19)